这里记录一下WebAPI 项目中实现 Token 验证,通常使用基于 JWT (JSON Web Token) 的身份验证。以下是完整的实现步骤:1. 安装必要的 NuGet 包
首先,安装所需的 NuGet 包:
Install-Package System.IdentityModel.Tokens.Jwt -Version 5.2.2
Install-Package Microsoft.Owin.Security.Jwt -Version 4.0.1
Install-Package Microsoft.Owin.Host.SystemWeb -Version 4.0.1
2. 配置 OWIN Startup 类
添加一个 OWIN Startup 类来配置 JWT 认证:
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin;
using Microsoft.Owin.Security.Jwt;
using Owin;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web;
using System.Web.Configuration;
[assembly: OwinStartup(typeof(WebApi.Startup))]
namespace WebApi
{
public class Startup
{
public void Configuration(IAppBuilder app)
{
var issuer = WebConfigurationManager.AppSettings["JwtIssuer"];
var audience = WebConfigurationManager.AppSettings["JwtAudience"];
var secret = WebConfigurationManager.AppSettings["JwtSecret"];
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret));
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateIssuerSigningKey = true,
ValidIssuer = issuer,
ValidAudience = audience,
IssuerSigningKey = key,
ClockSkew = TimeSpan.Zero
}
});
}
}
}

3. 添加配置到 Web.config
在 Web.config
的 <appSettings>
部分添加以下配置:
<add key="JwtIssuer" value="TestApiServer"/>
<add key="JwtAudience" value="TestWebApp"/>
<add key="JwtSecret" value="bXlfdGVzdF9zZWNyZXRfa2V5XzEyMzQ1Njc4OTA"/>
<add key="JwtExpireMinutes" value="30"/>
4. 创建 Token 生成服务
创建一个服务类来生成 JWT 令牌:
using Microsoft.IdentityModel.Tokens;
using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Security.Claims;
using System.Text;
using System.Web;
using System.Web.Configuration;
namespace WebApi.Tools
{
public class TokenService
{
public static string GenerateToken(string username)
{
var issuer = WebConfigurationManager.AppSettings["JwtIssuer"];
var audience = WebConfigurationManager.AppSettings["JwtAudience"];
var secret = WebConfigurationManager.AppSettings["JwtSecret"];
var expireMinutes = Convert.ToInt32(WebConfigurationManager.AppSettings["JwtExpireMinutes"]);
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret));
var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
var claims = new[]
{
new Claim(JwtRegisteredClaimNames.Sub, username),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(ClaimTypes.Name, username)
};
var token = new JwtSecurityToken(
issuer: issuer,
audience: audience,
claims: claims,
expires: DateTime.Now.AddMinutes(expireMinutes),
signingCredentials: credentials
);
return new JwtSecurityTokenHandler().WriteToken(token);
}
}
}

5. 创建登录 API 控制器
创建一个控制器来处理用户登录并返回 Token:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Http;
using WebApi.Tools;
namespace WebApi.Controllers
{
public class AccountController : ApiController
{
[HttpPost]
[Route("api/account/login")]
public IHttpActionResult Login(LoginModel model)
{
if (model.Username == "admin" && model.Password == "password")
{
var token = TokenService.GenerateToken(model.Username);
return Ok(new { Token = token });
}
return Unauthorized();
}
}
public class LoginModel
{
public string Username { get; set; }
public string Password { get; set; }
}
}
6. 保护需要认证的 API
在需要认证的控制器或方法上添加 [Authorize]
属性:
7. 测试 API
3.然后使用返回的 Token 访问受保护的 API:Headers: Authorization: Bearer your_token_here
阅读原文:https://mp.weixin.qq.com/s/wV-42HN7nugHLxXFLfEtJQ
该文章在 2025/7/8 16:26:44 编辑过